[Bug 2003570] Re: [MIR] rich
Mark Esler
2003570 at bugs.launchpad.net
Mon Feb 20 19:35:34 UTC 2023
I reviewed rich 13.2.0-2 as checked into lunar. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
> Rich is a Python library for rich text and beautiful formatting in the
terminal.
- CVE History:
- none
- upstream bug tracker is fairly well maintained
- no security concerns
- except https://github.com/Textualize/rich/issues/1903
- Build-Depends?
- lunar main
- debhelper-compat (debhelper)
- python3-all (python3-defaults)
- python3-setuptools (setuptools)
- lunar universe
- flit
- pybuild-plugin-pyproject
- python3-pytest (dh-python)
- python3-markdown-it (active MIR)
- python3-mypy (mypy)
- python3-poetry-core (poetry)
- python3-pygments
- python3-pytest (pytest)
- python3-typing-extensions (active MIR)
- pre/post inst/rm scripts?
- yes, standard prerm and postinst generated by dh-python
- dh-python is required, but missing from d/controls !?
- init scripts?
- none
- systemd units?
- none
- dbus services?
- none
- setuid binaries?
- none
- binaries in PATH?
- none
- sudo fragments?
- none
- polkit files?
- none
- udev rules?
- none
- unit tests / autopkgtests?
- has build tests and autopkgtests
- recent lunar autopkgtests result in "neutral"
- likely fine--see mdurl MIR notes
- cron jobs?
- none
- Build logs:
- nothing concerning
- Processes spawned?
- only in helper tool, see bandit reports
- Memory management?
- standard python
- File IO?
- file IO exceptions uncaught
- progress.py overloads IO open() for accounting
- Logging?
- responds to interactive console input being invalid
- raises errors, prints warnings, etc. Not the most consistent, but reasonable for _trusted_ input
- logging.py handles logs _being parsed by_ rich
- Environment variable usage?
- console.py makes a copy of all env variables
- Console._environ
- only a few specific env variables actually used
- diagnose.py prints a limited set of env variables
- Use of privileged functions?
- none
- Use of cryptography / random number sources etc?
- trivial
- rand 1:1e6 chance of link_id collision
- Use of temp files?
- none
- Use of networking?
- none
- Use of WebKit?
- none
- Use of PolicyKit?
- none
- Any significant cppcheck results?
- none
- Any significant Coverity results?
- not significant
- reported https://github.com/Textualize/rich/issues/2813
- Any significant shellcheck results?
- none
- Any significant bandit results?
- not too significant
- several cases of Try, Except, Continue
- ./tools/make_terminal_widths.py contains subprocess shell with runtime dependency on black
Rich has a large userbase with many downstream projects.
This MIR does not apply to kinetic, which requires python3-commonmark
instead of markdown-it-py.
Rich is a relatively heavy and inefficient library, but has pretty
results. Use of rich in netplan's is isolated to netplan's status (and
status is not called by other netplan components). Therefore, Security
is not too concerned about adding this.
./tools/ can be removed to avoid runtime dependency on black. The
directory ./benchmarks/results/ can also be removed to save bandwidth.
Appears to builds fine without either. Image file sizes are huge.
This package contains a prerm and postinst script generated by dh-
python, but dh-python is not listed as a Build-Depends in d/control.
This must be resolved before promoting to main.
Security team ACK for promoting rich to main, after (1) dh-python is
added to d/control and (2) and removing ./tools/ is considered.
** Bug watch added: github.com/Textualize/rich/issues #1903
https://github.com/Textualize/rich/issues/1903
** Bug watch added: github.com/Textualize/rich/issues #2813
https://github.com/Textualize/rich/issues/2813
** Changed in: rich (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
** Changed in: rich (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rich in Ubuntu.
https://bugs.launchpad.net/bugs/2003570
Title:
[MIR] rich
Status in netplan.io package in Ubuntu:
New
Status in rich package in Ubuntu:
In Progress
Bug description:
[Availability]
The package rich is already in Ubuntu universe.
The package rich build for the architectures it is designed to work on.
It currently builds and works for architetcures: all
Link to package https://launchpad.net/ubuntu/+source/rich
[Rationale]
- The package rich is required in Ubuntu main due to a new feature in netplan.io
intended to collect the current system network state and present to the user. A new command
(netplan status) was recently merged (https://github.com/canonical/netplan/pull/290) to netplan
and makes use of python3-rich to present the information.
- The package rich will generally be useful for a large part of
our user base as it will be used by Netplan, which is an important component
of Ubuntu.
- The package rich is a new runtime dependency of package netplan.io that
we already support
- The package rich is required in Ubuntu main no later than Feb 23
due to feature freeze and our plans to release a new version of netplan
with the new feature.
[Security]
- No CVEs/security issues in this software in the past
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has not too many
and long term critical bugs open
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/rich/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rich
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build log https://launchpad.net/ubuntu/+source/rich/13.0.0-1/+build/25446927
- The package does not run an autopkgtest because it doesn't contain
any
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package https://launchpadlibrarian.net/644126595/buildlog_ubuntu-lunar-amd64.rich_13.0.0-1_BUILDING.txt.gz
- Lintian overrides are not present
TODO: - This package does not rely on obsolete or about to be demoted
packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging and build is easy, link to d/rules https://git.launchpad.net/ubuntu/+source/rich/tree/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
There are further dependencies that are not yet in main, MIR for them is at:
https://bugs.launchpad.net/ubuntu/+source/markdown-it-py/+bug/2003568
https://bugs.launchpad.net/ubuntu/+source/mdurl/+bug/2002818
https://bugs.launchpad.net/ubuntu/+source/python-typing-extensions/+bug/2002821
Please note that rich not yet depends on markdown-it-py but upstream
just migrated to it. A new version of src:rich will add it as a
dependency and drop commonmark.
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations
- Team is not yet, but will subscribe to the package before promotion
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package has been built in the archive more recently than the last
test rebuild
[Background information]
- The Package description explains the package well
- Upstream Name is rich
- Link to upstream project https://github.com/Textualize/rich
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/netplan.io/+bug/2003570/+subscriptions
More information about the foundations-bugs
mailing list